El-errata: New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2022-9477)
Synopsis: ELSA-2022-9477 can now be patched using Ksplice
CVEs: CVE-2021-3772 CVE-2021-4197 CVE-2022-0487 CVE-2022-1048 CVE-2022-1353 CVE-2022-1419 CVE-2022-28390
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9477.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2022-9477.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-1353: Information disclosure in PF_KEYv2 socket subsystem.
An incorrect initialization of Security Association data structures by the
PF_KEYv2 socket subsystem could leak previous values stored in that kernel
memory. A local, unprivileged user can use this to gain access to kernel memory
and cause a denial-of-service or leak kernel information.
* CVE-2021-3772: Denial-of-service in the SCTP Network subsystem.
A flaw in the SCTP networking subsystem may allow an attacker to cause
denial-of-service by killing existing SCTP associations.
* CVE-2022-28390: Code execution in EMS CPC-USB/ARM7 CAN/USB interface.
A double-free flaw in data transmission path of EMS CPC-USB/ARM7 CAN/USB
interface could result in memory leaks and data corruption. A local user
could use this flaw for a denial-of-service or code execution.
* CVE-2022-1419: Information disclosure in Virtual Graphics Memory Manager.
A race condition flaw in Virtual Graphics Memory Manager when creating
a DRM GEM instance could result in use-after-free. A local user could
use this flaw for information disclosure.
Orabug: 34111756
* CVE-2022-0487: Use-after-free in Realtek USB Memstick Card Interface Driver.
A use-after-free flaw in the Realtek USB Memstick Card Interface driver can
lead to a race condition. This could allow a local user to cause
denial-of-service or leak internal kernel information.
Orabug: 34132125
* CVE-2022-1048: Code execution in Advanced Linux Sound Architecture framework.
A race condition due to a missing locking in the Advanced Linux Sound
Architecture framework could result in a use-after-free. A local user
could use this flaw to cause a denial-of-service or execute arbitrary
code.
Orabug: 34007906
* CVE-2021-4197: Privilege escalation in Control Groups.
A flaw in permission checks of Control Groups subsystem could allow
an unprivileged write to the file handler. A local user could use this
flaw for a denial-of-service or privilege escalation.
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
_______________________________________________
New Ksplice updates for UEKR5 4.14.35 are available for Oracle Linux 7.
